Ywoa Improper Authorization Vulnerability in Setup.jsp

A critical improper authorization vulnerability has been identified in Ywoa versions prior to 2024.07.03. The issue resides in the file /oa/setup/setup.jsp, where the application fails to properly validate authorization when accessing certain resources or performing specific actions. This vulnerability can be exploited remotely without any authentication, potentially leading to unauthorized modifications, such as changing administrator passwords.

Impact

Exploitation of this vulnerability allows for unauthorized access and actions within the application, including the ability to change administrator passwords, according to the advisory.

Reproduction

The vulnerability can be reproduced by accessing the /oa/setup/setup.jsp file without authentication. This can be done by searching for vulnerable targets using Google Hacking techniques, such as looking for URLs that include 'oa/setup/setup.jsp'.

Remediation

Users are advised to upgrade to Ywoa version 2024.07.04, which addresses this vulnerability.